Skip to content Skip to navigation

Breach Report: Former UPMC Employee Viewed Records Inappropriately

December 4, 2013
by Gabriel Perna
| Reprints

A former employee at University of Pittsburgh Medical Center’s (UPMC) McKeesport hospital viewed the protected health information (PHI) of nearly 1,300 patients, the health system recently announced.

The employee, who held an administrative position as a "unit coordinator" according to media reports, accessed patient medical records, which included patients’ names, dates of birth, contact information, treatment and diagnosis information, and Social Security numbers. She did not have a valid reason to do so, which is a violation of the federal Health Insurance Portability and Accountability Act (HIPAA).

“We apologize for any concern or inconvenience that this may cause for our patients. I want to stress that patient care was never affected,” John Houston, UPMC’s vice president of privacy and information security, said in a statement. “Fortunately, one of our employees who became aware of the inappropriate activity alerted hospital management in early November, and we were able to track and stop this improper behavior.

UPMC says the woman was fired and local and federal authorities have been alerted. The health system says it is providing additional employee training and continuing its own review with the aim of enhancing its privacy policies and procedures.  In terms of motive, the system did not have one.

“The former employee reported to UPMC that she did not store this information or use it for financial gain,” Houston said in a release.  

Email Malware Causes Breach at UW Medicine

At the Seattle-based University of Washington (UW) Medicine, an employee opened an email attachment that contained malicious software (malware), which took control of the computer and had patient data stored on it.

The health system said the computer contain private health data on roughly 90,000 Harborview Medical Center and University of Washington Medical Center patients. The data included name, medical record number, other demographics (which may include address, phone number), dates of service, charge amounts for services received at UW Medicine, Social Security Number or HIC (Medicare) number, and date of birth.

According to UW Medicine, the patient information was not sought or targeted.




CMS Hospital Compare Website Updated with VA Data

The Centers for Medicare & Medicaid Services (CMS) has announced the inclusion of Veterans Administration (VA) hospital performance data as part of the federal agency’s Hospital Compare website.

CMS Awards Funding to Special Innovation Projects

The Centers for Medicare & Medicaid Services (CMS) has awarded 20, two-year Special Innovation Projects (SIPs) aimed at local efforts to deliver better care at lower cost.

Center of Excellence in Genomic Science to be Established in Chicago

The National Human Genome Research Institute has awarded $10.6 million over five years for the establishment of a new research center in Chicago to advance genomic science.

EHNAC and HITRUST Combine HIPAA Security Criteria, CSF Framework

The Electronic Healthcare Network Accreditation Commission (EHNAC) and the Health Information Trust Alliance (HITRUST) announced plans to streamline their accreditation and certification programs.

Halamka on MACRA Final Rule: “CMS is Listening and I Thank Them”

Health IT notable expert John Halamka, M.D., CIO of Beth Israel Deaconess Medical Center in Boston, recently weighed in on the Medicare Access and CHIP Reauthorization Act (MACRA) final rule.

Texas Patient Care Clinic Hit with Ransomware Attack

Grand Prairie, Texas-based Rainbow Children's Clinic was the victim of a ransomware attack on its IT systems in August, affecting more than 33,000 patients, according to multiple news media reports this week.